Documentation
¶
Overview ¶
Package verify provides functions to check an endorsement against a UEFI binary.
Index ¶
- Variables
- func CheckCertificate(certder []byte, rootsOfTrust *x509.CertPool, now time.Time) (*x509.Certificate, error)
- func Endorsement(serializedEndorsement []byte, opts *Options) error
- func EndorsementProto(endorsement *epb.VMLaunchEndorsement, opts *Options) error
- func GCETcbURL(objectName string) string
- func SNP(golden *epb.VMGoldenMeasurement, opts *SNPOptions) error
- func SNPFamilyValidateFunc(familyID string, opts *Options) func(*spb.Attestation, []byte) error
- func SNPValidateFunc(opts *Options) func(*spb.Attestation, []byte) error
- type HTTPSGetter
- type Options
- type SNPOptions
Constants ¶
This section is empty.
Variables ¶
var ( // ErrNoSevSnp is returned when SNP verification is requested but is not present in the // endorsement. ErrNoSevSnp = errors.New("golden measurement does not have SEV-SNP information") // ErrNoSevSnpMeasurements is returned when a measurement verification is requested but the golden // measurement does not have any SEV-SNP measurements. ErrNoSevSnpMeasurements = errors.New("golden measurement does not have SEV-SNP measurements") // ErrNoEndorsementCert is returned when a launch endorsement's Cert field is empty. ErrNoEndorsementCert = errors.New("endorsement certificate is empty") )
Functions ¶
func CheckCertificate ¶
func CheckCertificate(certder []byte, rootsOfTrust *x509.CertPool, now time.Time) (*x509.Certificate, error)
CheckCertificate returns an error if the given certificate isn't signed by a root of trust, or the parsed certificate if its signature is valid.
func Endorsement ¶
Endorsement validates the signature and some contents of the serialized launch endorsement message.
func EndorsementProto ¶
func EndorsementProto(endorsement *epb.VMLaunchEndorsement, opts *Options) error
EndorsementProto validates the signature and some contents of the launch endorsement message.
func GCETcbURL ¶
GCETcbURL returns the URL to the named object within the gce-tcb-integrity storage bucket.
func SNP ¶
func SNP(golden *epb.VMGoldenMeasurement, opts *SNPOptions) error
SNP returns an error if the golden measurement violates SNP-specific validation options.
func SNPFamilyValidateFunc ¶
SNPFamilyValidateFunc returns a validation function that can be used with go-sev-guest on an SEV-SNP attestation report given an expected familyID.
func SNPValidateFunc ¶
func SNPValidateFunc(opts *Options) func(*spb.Attestation, []byte) error
SNPValidateFunc returns a validation function that can be used with go-sev-guest on an SEV-SNP attestation report.
Types ¶
type HTTPSGetter ¶
HTTPSGetter represents the ability to fetch data from the internet from an HTTP URL. Used particularly for fetching certificates.
type Options ¶
type Options struct {
SNP *SNPOptions
RootsOfTrust *x509.CertPool
ExpectedUefiSha384 []byte
Now time.Time
Getter HTTPSGetter
}
Options provides validation options when checking a launch endorsement
type SNPOptions ¶
type SNPOptions struct {
// measurement is an optional SEV-SNP measurement to check against the endorsement's list of
// measurements.
Measurement []byte
// ExpectedLaunchVMSAs is an optional (0 ignored) number of expected VMSAs to have launched with.
// The effect is that the measurement is compared against only the measurement computed for this
// VMSA count. It is an error for ExpectedLaunchVMSAs to be non-zero while Measurement is nil.
ExpectedLaunchVMSAs uint32
}
SNPOptions are SEV-SNP technology-specific validation options to check against the endorsement.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package verifytest provides testonly data for verifying UEFI endorsements.
|
Package verifytest provides testonly data for verifying UEFI endorsements. |